dracut-057-43.git20230816
Resolves: #2158155,#2176560
This commit is contained in:
parent
a5ba84ec9e
commit
ffffb5b27f
41
0038.patch
Normal file
41
0038.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From abc03e87ef3dff517c1da05643e8a5ec92b1bf14 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||||
|
Date: Mon, 14 Aug 2023 10:24:14 +0200
|
||||||
|
Subject: [PATCH] feat(spec): include modules for IMA
|
||||||
|
|
||||||
|
Resolves: #2158155
|
||||||
|
---
|
||||||
|
pkgbuild/dracut.spec | 9 ---------
|
||||||
|
1 file changed, 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pkgbuild/dracut.spec b/pkgbuild/dracut.spec
|
||||||
|
index e148bbf7..b2d75951 100644
|
||||||
|
--- a/pkgbuild/dracut.spec
|
||||||
|
+++ b/pkgbuild/dracut.spec
|
||||||
|
@@ -214,13 +214,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
|
||||||
|
# we do not support mksh in the initramfs
|
||||||
|
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
|
||||||
|
|
||||||
|
-%if %{defined _unitdir}
|
||||||
|
-# with systemd IMA and selinux modules do not make sense
|
||||||
|
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
|
||||||
|
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
|
||||||
|
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
|
||||||
|
-%endif
|
||||||
|
-
|
||||||
|
%ifnarch s390 s390x
|
||||||
|
# remove architecture specific modules
|
||||||
|
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
|
||||||
|
@@ -394,11 +387,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
||||||
|
%{dracutlibdir}/modules.d/95zfcp
|
||||||
|
%{dracutlibdir}/modules.d/95zfcp_rules
|
||||||
|
%endif
|
||||||
|
-%if %{undefined _unitdir}
|
||||||
|
%{dracutlibdir}/modules.d/96securityfs
|
||||||
|
%{dracutlibdir}/modules.d/97masterkey
|
||||||
|
%{dracutlibdir}/modules.d/98integrity
|
||||||
|
-%endif
|
||||||
|
%{dracutlibdir}/modules.d/97biosdevname
|
||||||
|
%{dracutlibdir}/modules.d/98dracut-systemd
|
||||||
|
%{dracutlibdir}/modules.d/98ecryptfs
|
||||||
|
|
24
0039.patch
Normal file
24
0039.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
From aaffb39dc86b674501cb447c7fef5dd40aad85fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||||
|
Date: Mon, 14 Aug 2023 11:25:19 +0200
|
||||||
|
Subject: [PATCH] fix(dracut): there can be \ at the end on line in awk script
|
||||||
|
|
||||||
|
Related: #2158155
|
||||||
|
---
|
||||||
|
dracut.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/dracut.sh b/dracut.sh
|
||||||
|
index 1ff51bb1..30dfb229 100755
|
||||||
|
--- a/dracut.sh
|
||||||
|
+++ b/dracut.sh
|
||||||
|
@@ -2592,7 +2592,7 @@ if [[ $uefi == yes ]]; then
|
||||||
|
printf "%s " "$(< "$conf")" >> "$uefi_outdir/cmdline.txt"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
-
|
||||||
|
+ # shellcheck disable=SC1004
|
||||||
|
offs=$(objdump -h "$uefi_stub" 2> /dev/null | gawk 'NF==7 {size=strtonum("0x"$3);\
|
||||||
|
offset=strtonum("0x"$4)} END {print size + offset}')
|
||||||
|
if [[ $offs -eq 0 ]]; then
|
||||||
|
|
24
0040.patch
Normal file
24
0040.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
From 9c1c19de50de5dba6d0875425539cb9259dd7451 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||||
|
Date: Mon, 14 Aug 2023 12:37:33 +0200
|
||||||
|
Subject: [PATCH] fix(rngd): spacing
|
||||||
|
|
||||||
|
Related: #2158155
|
||||||
|
---
|
||||||
|
modules.d/06rngd/module-setup.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules.d/06rngd/module-setup.sh b/modules.d/06rngd/module-setup.sh
|
||||||
|
index 66923a38..1e5f0eb9 100644
|
||||||
|
--- a/modules.d/06rngd/module-setup.sh
|
||||||
|
+++ b/modules.d/06rngd/module-setup.sh
|
||||||
|
@@ -35,7 +35,7 @@ install() {
|
||||||
|
inst_simple "${systemdsystemunitdir}/rngd.service"
|
||||||
|
|
||||||
|
if [ -r /etc/sysconfig/rngd ]; then
|
||||||
|
- inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
|
||||||
|
+ inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# make sure dependant libs are installed too
|
||||||
|
|
49
0041.patch
Normal file
49
0041.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From 9d2a3df5453001612b225c7423451f6e02e06c19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Mon, 20 Jun 2022 17:13:19 +0200
|
||||||
|
Subject: [PATCH] fix(integrity): do not enable EVM if there is no key
|
||||||
|
|
||||||
|
Track when a key is successfully loaded, and return 1 if no key has been
|
||||||
|
loaded. This will not enable EVM if there are no keys available in the
|
||||||
|
system.
|
||||||
|
|
||||||
|
Fix #1847
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
|
||||||
|
(Cherry-picked commit: 90585c624af15ba0abb7f32b0c2afc2b122dd019)
|
||||||
|
|
||||||
|
Related: #2158155
|
||||||
|
---
|
||||||
|
modules.d/98integrity/evm-enable.sh | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
|
||||||
|
index 0abdfb80..913b5f12 100755
|
||||||
|
--- a/modules.d/98integrity/evm-enable.sh
|
||||||
|
+++ b/modules.d/98integrity/evm-enable.sh
|
||||||
|
@@ -99,6 +99,7 @@ load_evm_x509() {
|
||||||
|
fi
|
||||||
|
# load the default EVM public key onto the EVM keyring along
|
||||||
|
# with all the other ones in $EVMKEYSDIR
|
||||||
|
+ local key_imported=1
|
||||||
|
for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
|
||||||
|
if [ ! -f "${PUBKEY}" ]; then
|
||||||
|
if [ "${RD_DEBUG}" = "yes" ]; then
|
||||||
|
@@ -110,13 +111,14 @@ load_evm_x509() {
|
||||||
|
info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
+ key_imported=0
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "${RD_DEBUG}" = "yes" ]; then
|
||||||
|
keyctl show @u
|
||||||
|
fi
|
||||||
|
|
||||||
|
- return 0
|
||||||
|
+ return ${key_imported}
|
||||||
|
}
|
||||||
|
|
||||||
|
unload_evm_key() {
|
||||||
|
|
46
0042.patch
Normal file
46
0042.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From ecc17a2cd574b31ce6f95f5a7d8ee6c62ecbb51b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
|
Date: Wed, 16 Aug 2023 14:02:51 +0200
|
||||||
|
Subject: [PATCH] fix(fips): include openssl's fips.so and openssl.cnf
|
||||||
|
|
||||||
|
Resolves: #2176560
|
||||||
|
---
|
||||||
|
modules.d/01fips/module-setup.sh | 13 +++++++++++++
|
||||||
|
modules.d/01fips/openssl.cnf | 7 +++++++
|
||||||
|
2 files changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
||||||
|
index cc9d15ce..7ff5e640 100755
|
||||||
|
--- a/modules.d/01fips/module-setup.sh
|
||||||
|
+++ b/modules.d/01fips/module-setup.sh
|
||||||
|
@@ -82,4 +82,17 @@ install() {
|
||||||
|
dfatal "To create an initramfs with fips support, dracut has to run as root"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ # if we have openssl we need to install their fips library and configuration
|
||||||
|
+ [ -x /usr/bin/openssl ] && {
|
||||||
|
+ read -r _ conf < <(openssl version -d)
|
||||||
|
+ conf=${conf#\"}
|
||||||
|
+ conf=${conf%\"}
|
||||||
|
+ inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf"
|
||||||
|
+
|
||||||
|
+ read -r _ mod < <(openssl version -m)
|
||||||
|
+ mod=${mod#\"}
|
||||||
|
+ mod=${mod%\"}
|
||||||
|
+ inst_simple "$mod/fips.so"
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
diff --git a/modules.d/01fips/openssl.cnf b/modules.d/01fips/openssl.cnf
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..ee9adcf0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/modules.d/01fips/openssl.cnf
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+openssl_conf = openssl_init
|
||||||
|
+[openssl_init]
|
||||||
|
+providers = provider_sect
|
||||||
|
+[provider_sect]
|
||||||
|
+default = default_sect
|
||||||
|
+[default_sect]
|
||||||
|
+activate = 1
|
23
dracut.spec
23
dracut.spec
@ -5,7 +5,7 @@
|
|||||||
# strip the automatically generated dep here and instead co-own the
|
# strip the automatically generated dep here and instead co-own the
|
||||||
# directory.
|
# directory.
|
||||||
%global __requires_exclude pkg-config
|
%global __requires_exclude pkg-config
|
||||||
%define dist_free_release 38.git20230725
|
%define dist_free_release 43.git20230816
|
||||||
|
|
||||||
Name: dracut
|
Name: dracut
|
||||||
Version: 057
|
Version: 057
|
||||||
@ -66,6 +66,11 @@ Patch34: 0034.patch
|
|||||||
Patch35: 0035.patch
|
Patch35: 0035.patch
|
||||||
Patch36: 0036.patch
|
Patch36: 0036.patch
|
||||||
Patch37: 0037.patch
|
Patch37: 0037.patch
|
||||||
|
Patch38: 0038.patch
|
||||||
|
Patch39: 0039.patch
|
||||||
|
Patch40: 0040.patch
|
||||||
|
Patch41: 0041.patch
|
||||||
|
Patch42: 0042.patch
|
||||||
|
|
||||||
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
||||||
|
|
||||||
@ -252,13 +257,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
|
|||||||
# we do not support mksh in the initramfs
|
# we do not support mksh in the initramfs
|
||||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
|
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
|
||||||
|
|
||||||
%if %{defined _unitdir}
|
|
||||||
# with systemd IMA and selinux modules do not make sense
|
|
||||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
|
|
||||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
|
|
||||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifnarch s390 s390x
|
%ifnarch s390 s390x
|
||||||
# remove architecture specific modules
|
# remove architecture specific modules
|
||||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
|
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
|
||||||
@ -432,11 +430,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
|||||||
%{dracutlibdir}/modules.d/95zfcp
|
%{dracutlibdir}/modules.d/95zfcp
|
||||||
%{dracutlibdir}/modules.d/95zfcp_rules
|
%{dracutlibdir}/modules.d/95zfcp_rules
|
||||||
%endif
|
%endif
|
||||||
%if %{undefined _unitdir}
|
|
||||||
%{dracutlibdir}/modules.d/96securityfs
|
%{dracutlibdir}/modules.d/96securityfs
|
||||||
%{dracutlibdir}/modules.d/97masterkey
|
%{dracutlibdir}/modules.d/97masterkey
|
||||||
%{dracutlibdir}/modules.d/98integrity
|
%{dracutlibdir}/modules.d/98integrity
|
||||||
%endif
|
|
||||||
%{dracutlibdir}/modules.d/97biosdevname
|
%{dracutlibdir}/modules.d/97biosdevname
|
||||||
%{dracutlibdir}/modules.d/98dracut-systemd
|
%{dracutlibdir}/modules.d/98dracut-systemd
|
||||||
%{dracutlibdir}/modules.d/98ecryptfs
|
%{dracutlibdir}/modules.d/98ecryptfs
|
||||||
@ -524,6 +520,13 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
|||||||
%{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
|
%{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 16 2023 Pavel Valena <pvalena@redhat.com> - 057-43.git20230816
|
||||||
|
- feat(spec): include modules for IMA
|
||||||
|
- fix(dracut): there can be \ at the end on line in awk script
|
||||||
|
- fix(rngd): spacing
|
||||||
|
- fix(integrity): do not enable EVM if there is no key
|
||||||
|
- fix(fips): include openssl's fips.so and openssl.cnf
|
||||||
|
|
||||||
* Tue Jul 25 2023 Pavel Valena <pvalena@redhat.com> - 057-38.git20230725
|
* Tue Jul 25 2023 Pavel Valena <pvalena@redhat.com> - 057-38.git20230725
|
||||||
- fix(dracut.sh): use dynamically uefi's sections offset
|
- fix(dracut.sh): use dynamically uefi's sections offset
|
||||||
- fix(dracut.sh): handle imagebase for uefi
|
- fix(dracut.sh): handle imagebase for uefi
|
||||||
|
Loading…
Reference in New Issue
Block a user